• Like
  • Save
Layer one 2011-sam-bowne-layer-7-dos
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Layer one 2011-sam-bowne-layer-7-dos



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Layer 7 DoS Attacks and Defenses LayerOne, 2011
  • 2. Bio
  • 3. Summary• The DoS Circus• Layer 4 DDoS: Thousands of attackers bring down one site• Layer 7 DoS: One attacker brings down one site• Link-Local DoS: IPv6 RA Attack: One attacker brings down a whole network
  • 4. The DoS Circus Characters
  • 5. Wikileaks• Published <1000 US Govt diplomatic cables from a leak of 250,000• Distributed an encrypted "Insurance" file by BitTorrent • Widely assumed to contain the complete, uncensored leaked data • Encrypted with AES-256--no one is ever getting in there without the key • Key to be released if Assange is jailed or killed, but he is in UK now resisting extradition to Sweden and the key has not been released
  • 6. Anonymous
  • 7. Operation Payback• 4chans Anonymous group • Attacked Scientology websites in 2008 • Attacked the RIAA and other copyright defenders • Using the Low Orbit Ion Cannon with HiveMind (DDoS) • "Opt-in Botnet"
  • 8. HB Gary Federal• Aaron Barr • Developed a questionable way to track people down online • By correlating Twitter, Facebook, and other postings • Announced in Financial Times that he had located the “leaders” of Anonymous and would reveal them in a few days
  • 9. Social Engineering & SQLi• http://tinyurl.com/4gesrcj
  • 10. Leaked HB Gary Emails• For Bank of America• Discredit Wikileaks• Intimidate Journalist Glenn Greenwald• For the Chamber of Commerce• Discredit the watchdog group US Chamber Watch• Using fake social media accounts• For the US Air Force• Spread propaganda with fake accounts• http://tinyurl.com/4anofw8
  • 11. Drupal Exploit
  • 12. Th3j35t3r• "Hacktivist for Good"• Claims to be ex-military• Originally performed DoS attacks on Jihadist sites • Bringing them down for brief periods, such as 30 minutes • Announces his attacks on Twitter, discusses them on a blog and live on irc.2600.net
  • 13. Jesters Tweets from Dec 2010
  • 14. Th3j35t3r v. Wikileaks• He brought down Wikileaks single-handed for more than a day – I was chatting with him in IRC while he did it, and he proved it was him by briefly pausing the attack
  • 15. Wikileaks Outage• One attacker, no botnet
  • 16. Th3j35t3r• After his Wikileaks attack • He battled Anonymous • He claims to have trojaned a tool the Anons downloaded • He claims to pwn Anon insiders now
  • 17. Jesters Tweets
  • 18. Westboro Baptist Outage• 4 sites held down for 8 weeks• From a single 3G cell phone – http://tinyurl.com/4vggluu
  • 19. Layer 4 DDoSMany Attackers – One Target Bandwidth Consumption
  • 20. Companies that Refused Service to Wikileaks• Amazon• Paypal• Mastercard• Visa• Many others
  • 21. Low Orbit Ion Cannon• Primitive DDoS Attack, controlled via IRC• Sends thousands of packets per second from the attacker directly to the target• Like throwing a brick through a window• Takes thousands of participants to bring down a large site • They tried but failed to bring down Amazon
  • 22. Low Orbit Ion Cannon
  • 23. Operation Payback v. Mastercard• Brought down Visa, Mastercard, and many other sites – Easily tracked, and easily blocked – High bandwidth, cannot be run through anonymizer – Dutch police have already arrested two participants
  • 24. Mastercard Outage3,000 to 30,000 attackers working together
  • 25. Layer 7 DoSOne Attacker – One TargetExhausts Server Resources
  • 26. Layer 7 DoS• Subtle, concealable attack• Can be routed through proxies• Low bandwidth• Can be very difficult to distinguish from normal traffic
  • 27. HTTP GET
  • 28. SlowLoris• Send incomplete GET requests• Freezes Apache with one packet per second
  • 29. R-U-Dead-Yet• Incomplete HTTP POSTs• Stops IIS, but requires thousands of packets per second
  • 30. Keep-Alive DoS• HTTP Keep-Alive allows 100 requests in a single connection• HEAD method saves resources on the attacker• Target a page that is expensive for the server to create, like a search – http://www.esrun.co.uk/blog/keep-alive-dos-script/• A php script – pkp keep-dead.php
  • 31. keep-dead
  • 32. XerXes• Th3j35t3rs DoS Tool • Routed through proxies like Tor to hide the attackers origin • No one knows exactly what it does • Layer 7 DoS?
  • 33. XerXes
  • 34. Link-Local DoSIPv6 Router Advertisements
  • 35. IPv4: DHCPPULL process Client requests an IP Router provides one I need an IP Use this IP Host Router
  • 36. IPv6: Router AdvertisementsPUSH process Router announces its presence Every client on the LAN creates an address and joins the network JOIN MY NETWORK Yes, SIR Host Router
  • 37. Router Advertisement Packet
  • 38. RA Flood
  • 39. Windows Vulnerability• It takes a LOT of CPU for Windows to process those Router Advertisements• 5 packets per second drives the CPU to 100%• And they are sent to every machine in the LAN (ff02::1 is Link-Local All Nodes Multicast)• One attacker kills all the Windows machines on a LAN
  • 40. Responsible Disclosure• Microsoft was alerted by Marc Heuse on July 10, 2010• Microsoft does not plan to patch this• Juniper and Cisco devices are also vulnerable• Cisco has released a patch, Juniper has not
  • 41. Defenses from RA Floods• Disable IPv6• Turn off Router Discovery• Block rogue RAs with a firewall• Get a switch with RA Guard
  • 42. RA Guard Evasion• Add "Fragmentation Headers" to the RA Packets – http://samsclass.info/ipv6/proj/RA-evasion.html
  • 43. Fragmentation Headers
  • 44. Defending Websites
  • 45. Attack > Defense• Right now, your website is only up because – Not even one person hates you, or – All the people that hate you are ignorant about network security
  • 46. Defense• Mod Security--free open-source defense tool • Latest version has some protections against Layer 7 DoS• Akamai has good defense solutions • Caching • DNS Redirection • Javascript second-request trick
  • 47. Load Balancer
  • 48. Counterattacks• Reflecting attacks back to the command & control server• Effective against dumb attackers like Anonymous LOIC – Will lose effect if they ever learn about Layer 7 DoS, which is happening now
  • 49. References
  • 50. ReferencesAnonymous Takes Down U.S. Chamber Of Commerce AndSupporter Websites http://goo.gl/Mue9kSlowloris HTTP DoS http://ha.ckers.org/slowloris/OWASP HTTP DoS Tool http://code.google.com/p/owasp-dos-http-post/Mitigating Slow HTTP DoS Attackshttp://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html‘Tis the Season of DDoS – WikiLeaks Edition (Outage charts) http://goo.gl/V5jZc
  • 51. ReferencesModSecurityhttp://goo.gl/56hblAkamai DDoS Report http://baythreat.org/MichaelSmith_DDoS.pdfHow Secure Is Julian Assanges "Thermonuclear"Insurance File? http://goo.gl/sY6NnOverview of Anonymous and their attack on MasterCard: http://goo.gl/lVsCDOperation Payback Toolkit: LOIC and HiveMind http://pastehtml.com/view/1c8i33u.html
  • 52. Referencesr-u-dead-yet http://code.google.com/p/r-u-dead-yet/Keep-Alive DoS Script http://www.esrun.co.uk/blog/keep-alive-dos-script/Router Advertisement DoS in Windows http://samsclass.info/ipv6/proj/flood-router6a.htmRA Guard Evasion http://samsclass.info/ipv6/proj/RA-evasion.htmlXerXes Attack Videohttp://goo.gl/j8NQE